July 2017

July 31, 2017

Angela A. Turiano is a lawyer with Bressler, Amery & Ross. As the New York Timesreported on July 21st, when a lawyer for Gary Sinderbrand, a former Wells Fargo employee, subpoenaed the bank as part of a defamation lawsuit against a bank employee, he and Mr. Sinderbrand expected to receive a selection of emails and documents related to the case.

What he got – by accident – was a vast trove of confidential information about tens of thousands of the bank's wealthiest clients. The 1.4 gigabytes of files that Wells Fargo's lawyer sent included many spreadsheets with customers' names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them. Most are customers of Wells Fargo Advisors, the arm of the bank that caters to high-net-worth investors.

By Mr. Sinderbrand's estimate, he had financial information for at least 50,000 individual customers. In all, Mr. Sinderbrand said, these clients have tens of billions of dollars invested through Wells Fargo, all delivered to him as part of the discovery process in his lawsuit.

The files were handed over to Mr. Sinderbrand with no protective orders and no written confidentiality agreement in place between his lawyers and Wells Fargo's. While the documents were not filed in court, it would be legal for Mr. Sinderbrand and his lawyer to release most of the material or include it in their legal filings, which would then become part of the public record.

Bressler, Amery & Ross, an outside law firm in Florham Park, N.J., was hired by Wells Fargo, which is not a party to the suit. Mr. Sinderbrand and one of his lawyers, Aaron Zeisler, notified Ms. Turiano about the sensitive documents now in their hands.

In an email response, Ms. Turiano described the disclosure as "inadvertent," and wrote, "Obviously this was done in error and we would request that you return the CD asap so that it can be properly redacted."

Mr. Zeisler said his client intended to keep the CD secure and confidential. "We are continuing to evaluate his legal rights and responsibilities," Mr. Zeisler said. "Wells Fargo has not identified what specific documents it asserts were inadvertently exposed."

The disclosure is a data breach that potentially violates a number of state and federal consumer data privacy laws that limit the release of personally identifiable customer information to outside parties.

Based on the fairly narrow subpoena that his lawyer submitted, which sought communications about Mr. Sinderbrand's employment and compensation, there was no reason for the bank to turn over such information, especially without any redactions, Mr. Sinderbrand said.

In terms of information security, litigation poses a special risk because confidential material often must change hands. The legal industry's best practices for handling digital documents in e-discovery include careful reviews to exclude or redact personally identifiable information, encryption and other safeguards as data is transferred.

Confidential information is also often covered by a protective order, which must be granted by a judge, to prevent the data's recipients from sharing it more widely. None of that seemed to have happened here, reflecting a breakdown in vetting at multiple levels.

In Ms. Turiano's email to Mr. Sinderbrand's lawyer, she wrote: "We went through a long process of a very large email review with an outside vendor with instructions on exclusion which was spot checked. Clearly there was some type of vendor error — which I am confirming now."

Following up on the story, Naked Securityreported on July 27th that Wells Fargo & Co offered apologies to approximately 50,000 Wells Fargo Advisors clients whose information was inappropriately shared by Wells Fargo outside counsel.

As the article pointed out, to create a disk with 1.4GB of data (which equates to approximately 14,000 documents) is not an insignificant electronic litigation support task. As noted, Ms. Turiano blamed vendor error, effectively throwing the unidentified vendor under the bus.

In this instance, accepting Turiano's explanation, the information was identified and isolated, and compiled. Indeed, she notes the process included a laborious email review and guidance provided to their vendor on exclusions. Then the information was "spot-checked." In an affidavit to the court to explain what happen, she explained, "Unbeknownst to me, the view I was using to conduct the review has a set limit of documents that it showed at one time. I thought I was reviewing a complete set, when in fact, I only reviewed the first thousand documents."

The non-excluded information was then copied to the disk and provided to opposing counsel. Wells Fargo, once notified, went into crisis control mode, given that Miller had shared the information with the New York Times and had not returned it to Turiano, Wells Fargo filed suit to compel Miller to return the information that had been mistakenly shared by their outside counsel. On July 26th, Sinderbrand and his attorneys were ordered to return the data to the court for safekeeping.

Wells Fargo then acknowledged the e-discovery error, saying: "We take the security and privacy of our customers' information very seriously. Our goals are to ensure the data is not disseminated, that it is rapidly returned, and that we ensure the discovery process going forward in the cases is working as it should."

This appears to be a case implicating the duty of competence. The lawyer didn't understand what she was viewing.

As Naked Security said, "Companies would be well served to have in place an audit capability for both inside and outside counsel (and vendors) to ensure there is visibility into the ERDM and e-discovery process from beginning to end, with emphasis on accomplishing the process in the most secure manner possible."

July 27, 2017

June 27th was not a good day for DLA Piper, FedEx, Merck, Cadbury and a host of others. As CNET reported, the apparent ransomware attack that swept across the world wasn't about the money. GoldenEye, also known as NotPetya, swarmed computers on June 27th, asking for the paltry sum of $300 to decrypt data.

But now experts believe nation-state attackers are using ransomware as a screen, with the real goal of destroying data. The revelation is a surprising new aspect of an escalating cyberwar between countries that has already compromised infrastructure, elections and businesses.

The biggest tipoff that something was wrong came from how the hackers planned to collect the ransom. The Posteo server shut down the e-mail address that victims were supposed to use to contact the hackers, suggesting that aspect of the operation wasn't well thought out. Two days after GoldenEye hit, it had made only about $10,000.

Researchers from both Comae Technologies and Kaspersky Lab found that GoldenEye was a wiper, designed to destroy data. It used as its base a form of ransomware called Petya (hence the NotPetya name) to encrypt crucial files, steal login credentials and seize your hard drive.

GoldenEye started as an attack on a single organization, with the ransomware attaching itself to a software update for MeDoc, Ukraine's most popular tax-filing software. From that one victim, it spread to multibillion-dollar companies that were using it. The companies all have branches in Ukraine. About 60 percent of the attacks happened in Ukraine, according to Kaspersky Lab. GoldenEye, like WannaCry, used a technique from the National Security Agency to get into one PC and took advantage of Windows sharing tools to spread to every other computer on the same network.

Ukraine has been plagued with alleged cyberattacks from Russian state-sponsored hackers, as a testing ground for global hacks on major infrastructure. Beyond Ukraine, the collateral damage continued after more than 200,000 computers around the world were infected. The attack showed hackers don't even have to target countries directly to have the intended effect.

The legal world was rocked by the news that DLA Piper was down – it appears to have contracted the malware via a DLA office in Spain. Phone and computers were knocked out across the firm (and some shut down as a precaution) with reporters unable to reach anyone at DLA Piper via e-mail (they got a "not deliverable" message).

With offices in more than 40 counties and several thousand lawyers, DLA Piper is one of the largest law firms in the world.

On June 28th, DLA released the following statement which was updated (I am not sure which part was updated):

Following reports of a malware attack, a DLA Piper spokesperson said: "On June 27, 2017, our advanced-warning system detected suspicious activity on our network, which, based on our investigation to date, appears to be related to the global cyber event known as "Petya". Our IT team acted quickly to prevent the spread of the suspected malware and to protect our systems.

We immediately began our investigation and remediation efforts, working closely with leading external forensic experts and relevant authorities, including the FBI and UK National Crime Agency. We are working to bring our systems safely back online."

On July 3rd, it posted the following update:

"Following the widely reported malware incident that occurred on Tuesday 27 June, we have brought our email safely back online, and continue to bring other systems online in a secure manner.

The firm took immediate steps to contain the threat, and we have seen no evidence that client data was taken or that there was a breach of confidentiality of that data.

Short and sweet, with no word of the vulnerability or vulnerabilities that allowed the malware into the firm. Hard to be critical without knowing what went on. It was a hell of a plunge into crisis management and I'm guessing that the firm's Incident Response Plan (since no plan survives first contact with the enemy) is being revised. The School of Hard Knocks imparts valuable lessons. I have no doubt other large firms held emergency meetings to reassure themselves they were not vulnerable to the attack.

You can find a good guide explaining NotPetya (and the defenses against it) here. Hat tip to Dave Ries for the link.

July 26, 2017

As InfoWorld noted in a post, the WannaCry ransomware and the NotPetya worm remind us of why the cloud is a safer place for businesses to do their computing.

John and I were cloud curmudgeons originally, not liking the idea of entrusting a third party with law firm data. But our friend Jim Calloway finally persuaded us that for many law firms, the cloud would protect law firm data better the law firms would.

Using the public cloud makes you less likely to get attacked and breached. The layers of security in the cloud are more than a deterrent for most attacks. The cloud providers proactively monitor these clouds, and they quickly spot and quickly block attacks. And they automatically apply operating system, application, and service patches and fixes.

No major cloud provider has been a victim of all the malware attacks of the last few years. That's a powerful argument for the cloud.

And indeed, we are seeing more and more law firms take their computing to the cloud. What sometimes mystifies us is their absolute belief that the cloud will be cheaper. That has not been our experience. The cloud isn't cheap – and you cannot dispense with issuing lawyers laptops. Our own math tends to show the cloud as being more expensive over the long run.

Is that a reason not to move to the cloud? Not at all – but don't think you're saving money in the process. Reducing risk is a strong argument for spending the extra money. Just make sure you do your due diligence. ISO created a new standard called ISO 19086 several months ago which establishes a framework for cloud service level agreements (SLAs). There are a lot of online resources about what questions to ask cloud providers – gather as many as you can in order to evaluate the security of your data!

July 25, 2017

From across the pond, some interesting news. As Naked Securityreported, a year ago Citrix UK commissioned a poll to find out what British businesses were doing to prepare for ransomware attacks. The answer was that a third of UK companies were stockpiling digital currency, mostly in bitcoins, to pay the ransom if they became victims of a ransomware attack.

More than 35% of the large firms Citrix surveyed were willing to pay over £50,000 (USD $64,555) to regain access to important intellectual property or business-critical data.

Now, fast forward a year with the massive WannaCry global leaked NSA exploit-fueled attack (and NotPetya), and it seems they're doing the same thing, only the currency pile they're sitting on has swelled.

According to Citrix's Chris Mayers, the latest research, published to coincide with Infosec Europe 2017, shows that large British businesses are now prepared to pay out an average of £136,235 (USD $175,896) to regain access to their critical data.

That's up, on average, by 361% over last year's research – a pretty massive increase!

Such payoff prep isn't limited to ransomware: In October, the Guardian reported that several of London's biggest banks were looking to stockpile Bitcoins in order to pay off crooks threatening to bring down their critical IT systems via massive DDoS attacks.

As is well known, it is hard to buy a lot digital currency at once – hence the stockpiling. It can take up to a week for brokers to process you. And you can't get a whole lot of bitcoins out of a bitcoin ATM.

As recent research from IBM has shown, 32% of surveyed businesses have paid extortionists quite a bit.

20% paid more than $40,000

25% paid $20,000-$40,000

11% paid $10,000-$20,000

The mystery to me is why it is reported that more than half of 500 British IT companies surveyed aren't doing simple things to defend against ransomware – like daily backups. That's a puzzler.

July 24, 2017

For seven years, Zhengquan "Jim" Zhang worked as an IT engineer for KCG Holdings, a Wall Street securities firm, where he managed the source code for the firm's trading platform and algorithms. When news of a potential takeover started to spread, Zhang got nervous, thinking his job could be eliminated. That acquisition was completed last July 20th, three and a half months after FBI agents arrested Zheng, accusing him of stealing more than three million proprietary files, the very files that make up the core of the firm's business.

In the popular imagination, data breaches are typically brought about by outsiders: the hoodie-wearing twenty-something operating out of a dark bedroom or basement—a character out of "Mr. Robot," or NBC's "NCIS," perhaps. Maybe they're typing in Cyrillic or spreading North Korean ransomware.

But oftentimes the threat looks more like Zhang, a corporate professional few would have suspected of theft. In fact, a significant amount of data breaches are caused by such insiders.

Insider data theft and privilege misuse are behind 15 percent of all data breaches, excluding those caused by errors, according to the 2017 Verizon data breach report. Sixty percent of those insider data theft incidents involve a user who intends to abscond with data "in the hope of converting it to cash somewhere down the line," according to the report. Such theft can be particularly difficult to catch, with months and even years passing before an incident is discovered. The risk of insider data theft is particularly strong in the healthcare industry, where Verizon identified 68 percent of threat actors as insiders.

The "threat from within" is leading to heightened vigilance among cybersecurity professionals.

A recent industry study by Delta Risk found that insider threats remained top of mind for many. Seventy-four percent of organizations felt vulnerable to insider threats, while almost half of surveyed security professionals said that insider risks had increased in the past year, resulting in greater rates of stolen data and security breaches.

The cost of such incidents can be huge. A typical corporate data breach costs $3.62 million, or $141 for each compromised record. Data loss caused by malicious insiders, as opposed to negligence or systems glitches, is particularly expensive, costing $156 per record.

But you don't need to despair at the proliferation of insider data theft and misuse. A strong information governance regime can help reduce insider theft risks and identify potential threats when they occur. When possible misuse arises, an agent-based data loss prevention system can alert you of suspicious activities.

At that point, some firms turn to the same discovery and data management tools that they use during litigation. In a sophisticated platform, data can be processed in a matter of minutes and culled to narrow down documents to the most important files.

Powerful search tools help you identify the "smoking gun" quickly. If an employee has been emailing herself proprietary documents, for example, that can be spotted easily. Then there are the cases when an insider has been engaged in more sophisticated wrongdoing. Zhang, for instance, allegedly subverted his firm's security measures by hacking into colleagues' accounts and modifying a company web app. In such instances, complex queries and stacking searches can help you tie together crucial concepts, keywords, and relationships in order to develop an understanding of what transpired. Exoneration or a call to the FBI could soon follow.

You may not be able to thwart every data theft attempt made by a disgruntled employee, but catching such events quickly and easily can bring significant cost and reputational savings—in some cases even preventing an employee from walking away with the information that makes up the heart of a business.

July 20, 2017

Unsurprisingly, Elon Musk has been a powerful voice on the subject of artificial intelligence. On July 17th, NPR reported that he had addressed the National Governors Association meeting in Providence, telling the governors that AI poses a "fundamental risk to the existence of human civilization."

Strong words – with which I agree.

Musk told the governors that AI calls for precautionary, proactive government intervention: "I think by the time we are reactive in AI regulation, it's too late," he said.

He was clearly not thrilled to make that argument, calling regulation generally "not fun" and "irksome," but he said that in the case of AI, the risks are too high to allow AI to develop unfettered.

Back in 2014, Musk likened AI developers to people summoning demons they think they can control. In 2015, he signed a letter warning of the risk of an AI arms race.

Critics argue that Musk is interested less in saving the world than in buffing his brand. I don't buy that - I think his fear is genuine.

Some of the governors expressed skepticism about the wisdom of regulating a technology that's still in development. Musk said the first step would be for the government to gain "insight" into the actual status of current research. "Once there is awareness, people will be extremely afraid," Musk said. "As they should be."

July 19, 2017

The folks at JoyofAndroid were kind enough to send me their post about smarter Android Smartphone banking. Their 17 tips are well worth reading. It is amazing how foolish people can be when it comes to using their smartphones for online banking.

July 18, 2017

As a recent story from Wired pointed out, the federal government's claim that it needs backdoors is ludicrous given recent events. Those of us who care ardently about security have always pointed out that backdoors have a way of getting out.

Bolstering our argument, in March WikiLeaks released nearly 9000 documents exposing the CIA's hacking arsenal. The hacking group known as the Shadow Brokers began sharing purported NSA secrets last fall and on April 14th it released its biggest drop yet - a suite of hacking tools that target Windows PCs and servers. The exposed information facilitated WannaCry and Petya.

If Uncle Sam is so terrible at keeping his secrets, he certainly shouldn't be entrusted with encryption backdoors!

July 17, 2017

I know that this victory for privacy could be short-lived, but huzzah for the letter written by U.S. Customs and Border Protection (CBP) acting commissioner Kevin McAleenan - which can be found in this July 13thstory from The Verge. Basically, the letter (written in response to a set of questions by Sen. Ron Wyden) says that the CBP can't search travelers' cloud data at the border.

However, McAleenan draws a sharp distinction between data stored locally on the device and cloud data stored on remote servers. Customs has a fundamental mandate to search cargo as it enters the country, a mandate that McAleenan says extends to local disk drives. So your phones and computing devices are fair game.

CBP authority to conduct border searches extends to all merchandise entering or departing the United States, including information that is physically resident on an electronic device transported by an international traveler. Therefore, the letter says that border searches conducted by CBP do not extend to information that is located solely on remote servers.

However, the letter's phrasing leaves room for border searches of recent e-mail and social media messages, provided the information is accessible (for instance) on a traveler's phone at the time of the search (therefore, the data is not "solely" on a remote server).

Social media searches have grown more aggressive under the Trump administration, as border agents seek more information about travelers' online activities. Even visa-holding non-citizens can be denied entry to the US if agents perceive them as a threat, so travelers are often willing to hand over passwords rather than be turned away at the border. Notably, McAleenan reserves the right to request passwords from travelers, as part of commissioning their assistance in conducting a search.

"This assistance may occur by CBP requesting that the traveler open the manual lock on his or her suitcase, or unlock or otherwise make accessible the traveler's accompanying electronic device," the letter reads. "It is important to understand that CBP does not condition entry of U.S. citizens based on the provision of a password."

To me, this underscores the importance for lawyers, in particular, to make sure there is no confidential data on their devices when exiting or entering the U.S. Burner phones have become a requirement in some law firms when traveling abroad – so have clean "loaner" laptops which connect securely while abroad and are then wiped before reentering the U.S. Amazing the lengths we have to go through to protect our clients' data these days . . .

July 13, 2017

I know what I'd like to tell the Federal Trade Commission to do with the proposal that would destroy its net neutrality guidelines but I can't use that kind of language in a blog post or in my letter to them.

We all know that there is hunger among ISPs to monetize the net to create "fast lanes" for big companies willing to pay the toll. That's why the net neutrality rules were put in place, to ensure that smaller companies couldn't find their speed throttled back by money-grubbing ISPs.

Verizon, Comcast and AT&T would love to emerge as moneyed titans whose coffers are continually replenished by the largest players on the net. When money talks, fair play and equal treatment walk.

If you hate that idea as much as I do, the Electronic Frontier Foundation has made it very easy for you to get your public comment to the FTC. You can write your own "Dear FCC" letter here and make your voice heard. Keep the Internet free and neutral. Rally together and roar!

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.